|
|
|
Gaia acts as a TACACS+ client for Gaia users that are defined on the TACACS+ server and are not defined locally on Gaia. The admin user must define a role called TACP-0 for the TACACS+ users, and the allowed features for the TACP-0 role.
Privilege Escalation
The Gaia admin user can define roles that make it possible for Gaia users to get temporarily higher privileges, than their regular privileges. For example, Gaia user Fred needs to configure the interfaces, but his role does not support interfaces configuration. To configure the interfaces, Fred enters his user name together with a password given him by the admin user. This password lets him change his default role to the role that allows him to configure the interfaces.
There are sixteen different privilege levels (0 - 15) defined in TACACS+. Each level can be mapped to a different Gaia role. For example:
By default, all non-local TACACS+ Gaia users are assigned the role TACP-0. The Gaia admin can define for them roles with the name TACP-N that give them different privileges, where N is a privilege level - a number from 1 to 15. The TACACS+ users can changes their own privileges by moving to another TACP-N role. To do this, the TACACS+ users need to get a password from the Gaia admin user.
To configure Gaia as a TACACS+ Client:
Step |
Description |
|---|---|
1 |
Connect to Gaia OS as the |
2 |
Define the role |
3 |
Define the features for the role. For instructions, see the Roles. |
4 |
Optional: Define one or more roles with the name |
To raise TACP privileges using the Gaia Clish:
Step |
Description |
|---|---|
1 |
Connect to the command line. |
2 |
Log in to the Gaia Clish using the username and password of the TACACS+ user. |
3 |
After you are authenticated by the TACACS server, you will see the Gaia Clish prompt. At this point, you have the privileges of the TACP-0 role. Run:
Where N is the new TACP role (an integer from 1 to 15). |
4 |
When prompted, enter the applicable password. |
To go back to the TACP-0 role, press CTRL+D, or enter exit at the command prompt. The user automatically exits the current shell and goes back to TACP-0.
To show if the currently logged in user is authenticated by TACACS+, run:
show tacacs_enable |
To raise privileges in the Gaia Portal:
Step |
Description |
|---|---|
1 |
In your web browser, connect to Gaia Portal. |
2 |
Enter the username and password of the TACACS+ user. After the TACACS server authentication, you have the privileges of the TACP-0 role. |
3 |
To raise the privileges to the |
4 |
Enter the password for the user. |
Note - Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS, or TACACS) and not on the local Gaia system.
